From af390399c8017f69cfc9cdd4ef74144e6810fbe2 Mon Sep 17 00:00:00 2001
From: Lars Knoll <lars.knoll@theqtcompany.com>
Date: Wed, 14 Oct 2015 14:25:41 +0200
Subject: Fix a crash when copying array data

Regression from 5.5. d()->arrayData->alloc can be larger, but
never smaller than the allocation of the other's array data.

Change-Id: I7d2265768f9d6e6298bfbba0d674a4d0e642422f
Task-number: QTBUG-48727
Reviewed-by: Liang Qi <liang.qi@theqtcompany.com>
Reviewed-by: Nikita Krupenko <krnekit@gmail.com>
Reviewed-by: Simon Hausmann <simon.hausmann@theqtcompany.com>
---
 src/qml/jsruntime/qv4object.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/qml/jsruntime')

diff --git a/src/qml/jsruntime/qv4object.cpp b/src/qml/jsruntime/qv4object.cpp
index ee3539c176..ba29d52bc6 100644
--- a/src/qml/jsruntime/qv4object.cpp
+++ b/src/qml/jsruntime/qv4object.cpp
@@ -1107,7 +1107,7 @@ void Object::copyArrayData(Object *other)
             dd->len = other->d()->arrayData->len;
             dd->offset = other->d()->arrayData->offset;
         }
-        memcpy(d()->arrayData->arrayData, other->d()->arrayData->arrayData, d()->arrayData->alloc*sizeof(Value));
+        memcpy(d()->arrayData->arrayData, other->d()->arrayData->arrayData, other->d()->arrayData->alloc*sizeof(Value));
     }
     setArrayLengthUnchecked(other->getLength());
 }
-- 
cgit v1.2.3